Although tainting the master is normally a good and proper thing to do in some
situations (docker for mac in our case, but I suppose minikube and such as
well) having a single host configuration is desirable.
In linuxkit we have a [workaround](443e47c408/projects/kubernetes/kubernetes/kubeadm-init.sh (L19...L22))
to remove the taint after initialisation. With the change here we could simply
populate /etc/kubeadm/kubeadm.yaml` with `noTaintMaster: true` instead and have
it never be tainted in the first place.
I have only added this to the config file and not to the CLI since AIUI the
latter is somewhat deprecated.
The code also arranges to _remove_ an existing taint if it is unwanted. I'm
unsure if this behaviour is correct or desirable, I think a reasonable argument
could be made for leaving an existing taint in place too.
Signed-off-by: Ian Campbell <ijc@docker.com>
Audit logs are configurable via the MasterConfiguration file.
All options are ignored unless the FeatureGate is enabled.
Fixeskubernetes/kubeadm#623
Signed-off-by: Chuck Ha <ha.chuck@gmail.com>
Automatic merge from submit-queue (batch tested with PRs 57824, 58806, 59410, 59280). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
2nd try at using a vanity GCR name
The 2nd commit here is the changes relative to the reverted PR. Please focus review attention on that.
This is the 2nd attempt. The previous try (#57573) was reverted while we
figured out the regional mirrors (oops).
New plan: k8s.gcr.io is a read-only facade that auto-detects your source
region (us, eu, or asia for now) and pulls from the closest. To publish
an image, push k8s-staging.gcr.io and it will be synced to the regionals
automatically (similar to today). For now the staging is an alias to
gcr.io/google_containers (the legacy URL).
When we move off of google-owned projects (working on it), then we just
do a one-time sync, and change the google-internal config, and nobody
outside should notice.
We can, in parallel, change the auto-sync into a manual sync - send a PR
to "promote" something from staging, and a bot activates it. Nice and
visible, easy to keep track of.
xref https://github.com/kubernetes/release/issues/281
TL;DR:
* The new `staging-k8s.gcr.io` is where we push images. It is literally an alias to `gcr.io/google_containers` (the existing repo) and is hosted in the US.
* The contents of `staging-k8s.gcr.io` are automatically synced to `{asia,eu,us)-k8s.gcr.io`.
* The new `k8s.gcr.io` will be a read-only alias to whichever regional repo is closest to you.
* In the future, images will be promoted from `staging` to regional "prod" more explicitly and auditably.
```release-note
Use "k8s.gcr.io" for pulling container images rather than "gcr.io/google_containers". Images are already synced, so this should not impact anyone materially.
Documentation and tools should all convert to the new name. Users should take note of this in case they see this new name in the system.
```
This is the 2nd attempt. The previous was reverted while we figured out
the regional mirrors (oops).
New plan: k8s.gcr.io is a read-only facade that auto-detects your source
region (us, eu, or asia for now) and pulls from the closest. To publish
an image, push k8s-staging.gcr.io and it will be synced to the regionals
automatically (similar to today). For now the staging is an alias to
gcr.io/google_containers (the legacy URL).
When we move off of google-owned projects (working on it), then we just
do a one-time sync, and change the google-internal config, and nobody
outside should notice.
We can, in parallel, change the auto-sync into a manual sync - send a PR
to "promote" something from staging, and a bot activates it. Nice and
visible, easy to keep track of.
In OpenStack environment, when there is no metadata service, we
look at the config drive to figure out the metadata. Since we need
to run commands like blkid, we need to ensure that api server and
kube controller are running in the privileged mode.
So add a new field in MasterConfiguration for specifying that the
api server and controller manager (s) need extra privileges. Added
a TODO to remove this code when we fully yank out cloud provider
specific calls from these processes.
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Fix incorrect hairpin-mode value and validate it
**What this PR does / why we need it**:
* Fix incorrect hairpin-mode value
* Add validation
**Which issue(s) this PR fixes**:
Fixes#57609
**Special notes for your reviewer**:
**Release note**:
```release-note
NONE
```
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
fixed typo in kubeadm/v1alpha1/defaults.go
**What this PR does / why we need it**:
fixed some typo in comment
**Release note**:
```release-note
NONE
```
Automatic merge from submit-queue (batch tested with PRs 55954, 56037, 55866, 55984, 54994). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Improve kubeadm validation unit test coverage.
**What this PR does / why we need it**:
From:
`ok k8s.io/kubernetes/cmd/kubeadm/app/apis/kubeadm/validation 0.100s coverage: 92.3% of statements`
To:
`ok k8s.io/kubernetes/cmd/kubeadm/app/apis/kubeadm/validation 0.114s coverage: 100.0% of statements`
**Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*:
Fixes #
**Special notes for your reviewer**:
/cc @luxas
**Release note**:
```release-note
NONE
```
In commit 3a0aa06fc9, the flag
was changed from `ignore-checks-errors` to `ignore-preflight-errors`,
but the condition check in ValidateMixedArguments was not updated.
So specifying say `--config kubeadm.conf --ignore-preflight-errors all`
would fail.
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Use kube-proxy ComponentConfig in kubeadm clusters
This change adds configuring the kube-proxy bind address to be an
IPv6 address based on the whether the API server advertise address is IPv6.
It is doing this via the kube-proxy ComponentConfig API now from v1.9
**What this PR does / why we need it**:
This PR sets the bind address for kube-proxy to be a IPv6 address. This is needed for IPv6
**Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*:
Fixes#50927
Fixes https://github.com/kubernetes/kubeadm/issues/527
**Special notes for your reviewer**:
**Release note**:
```release-note
Adds kubeadm support for using ComponentConfig for the kube-proxy
```
Automatic merge from submit-queue (batch tested with PRs 51494, 56097, 56072, 56175). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Implement individual control for kubeadm preflight checks
**What this PR does / why we need it**:
With new flag `--ignore-checks-errors` user is able to
decrease severity of each individual check error to warning.
Old flag `--skip-preflight-checks` now acts as `--ignore-checks-errors=all` and will produce warnings.
**Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*:
Fixeskubernetes/kubeadm#480
**Special notes for your reviewer**:
/area kubeadm
/sig cluster-lifecycle
cc @luxas
**Release note**:
```release-note
New kubeadm flag `--ignore-checks-errors` that enables to decrease severity of each individual error to warning.
Old flag `--skip-preflight-checks` is marked as deprecated and acts as `--ignore-checks-errors=all`
```
With new flag `--ignore-checks-errors` user is able to
decrease severity of each individual check to warning.
Old flag `--skip-preflight-checks` now acts as
`--ignore-checks-errors=all` and will produce warnings.
Fixes: kubernetes/kubeadm#480
